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Abstract. The Attacks done by Viruses, Worms, Hackers, etc. are a 
Network Security-Problem in many Organisations. Current Intrusion De- 
tection Systems have significant Disadvantages, e.g. the need of plenty of 
Computational Power or the Local Installation. Therefore, we introduce 
a novel Framework for Network Security which is called SANA. SANA 
contains an artificial Immune System with artificial Cells which perform 
certain Tasks in order to to support existing systems to better secure 
the Network against Intrusions. The Advantages of SANA are that it is 
efficient, adaptive, autonomous, and massively-distributed. In this Arti- 
cle, we describe the Architecture of the artificial Immune System and the 
Functionality of the Components. We explain briefly the Implementation 
and discuss Results. 
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1 Introduction 

Companies, Universities, and other Organisations use connected Computers, 
Servers, etc. for Working, Storing of important Data, and Communication. These 
Networks are an Aim for Attackers in order to breakdown the Network Service 
or to gain internal and secret Information. 

These Attacks are Intrusions which are e.g. Worms, Viruses, Hacker- Attacks. 
Network Administrators try to secure the Network against these Intrusions using 
Intrusion Detection Systems (IDS). The Network Intrusion Detection Systems 
(NIDS) are a local System which is installed in one important Node and which 
checks all Packets routed over this Node, e.g. SNORT [1] or [2,3,4,5,6]. Host- 
based Intrusion Detection Systems (HIDS) are installed on each Node and check 
each Packet which is routed over this Node [7,8,9]. Furthermore, there are ap- 
proaches of distributed Intrusion Detection Systems (D-IDS) which install IDS 
on all machines and connect these; one example is SNORTNET [10]. 
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Unfortunately, these IDS have several Disadvantages as for example the 
plenty of Computational Power, the need of Administration during Execution, 
and local Installation. Additionally, the Intrusions are getting both more and 
more complex and intelligent, so that the IDS have lots of Problems to identify 
the Intrusions, e.g. Camouflage of Attacks. Thus, novel Approaches for Network 
Security are needed which should provide the following features: 

— Distributed: all Nodes should be secured and there should not be any central 
Center 

— Autonomous: the System and all Components should work autonomously; 
hereby, the number of false-positives should be low 

— Adaptive: the System should have the ability to identify or react to modified 
or even novel Attacks 

— Cooperative: The Computational Power should be shared over the whole 
Network 

In SANA, we introduce an artificial Immune System which provides the fea- 
tures explained above. In the next Section, we discuss existing artificial Immune 
Systems for the Application of Network Security. 

2 Current Situation 

For the explanation of the different existing artificial Immune Systems for Net- 
work Security, we will introduce briefly the Paradigm of artificial Immune Sys- 
tems [11]: 

An artificial Immune System tries to simulate the human Immune System 
which secures the Human Body against Pathogens [12]. An artificial Immune Sys- 
tem is a massively distributed System and Complex Adaptive System with lots 
of components. In the human Immune System, these Components are e.g. Cells, 
Lymph-Nodes, Bone Marrow. All of these Components work autonomously, ef- 
ficiently and are highly specialised. These Components cooperate using the Cell 
Communication with e.g. Cytokines and Hormones. Additionally, there are lots 
of cellular and immunological Processes which mesh in the Protection of the 
Human Body. The artificial Immune Systems try to model these. Unfortunately, 
the human Immune System and the Modelling of it is so complex and partly not 
understood. Therefore, artificial Immune Systems can only model a part of the 
human Immune System. 

There are several artificial Immune Systems for Network Security. We discuss 
some interesting Approaches of artificial Immune Systems for Network Security: 

Spafford and Zamboni introduce in [13] a System for Intrusion Detection 
using autonomous Agents. These Agents cooperate with Transceivers and do 
not move through the Network. Hofmeyr and Forrester [14,15,16] introduce an 
artificial Immune System for Network Security (named ARTIS/LISYS). The 
AIS models the Lifecycle of T- and B-Cells with positive and negative Selec- 
tion. The non-mobile Detectors check a Triple of Source-IP, Destination-IP and 
Destination-Port and evaluate if a Packet is malicious or not. Additionally, in 
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tliis Broadcast-Network, all Detectors see all Packets and react to it. In [17] an 
artificial Immune System as a Multi- Agent System is introduced for Intrusion 
Detection. The system uses mobile Agents which cooperate with a centralised 
Database containing the Attack-Information. 

In the next Section we introduce the Architecture of the artificial Immune 
System SANA. In contrast to the existing artificial Immune Systems, SANA 
uses autonomous, fully-mobile, and lightweightcd artificial Cells; additionally, 
SANA does not have any centralised System. Furthermore, SANA is not a closed 
Framework; it is possible to use existing Network Security Approaches in SANA. 
Thereafter, we take a closer look on the different Components of the artificial 
Immune System. 

3 SANA - Architecture 

The artificial Immune System of SANA secures the whole Network against In- 
trusions and provides the Features explained above. In SANA, we simulate a 
packet-oriented Network using a Network Simulator (see Section 3.1). SANA is 
a collection of non-standard Approaches for Network Security and we test if they 
increase the Performance of existing Network Security Systems. An Adversarial 
injects Packets with and without Attacks in order to stress the Network and the 
artificial Immune System as well as to simulate Attacks (Section 3.2). 

The artificial Immune System uses several Components for the Security of 
the Network. All of these Components work autonomously and there is no Center 
which is required by any Component. The main Components are artificial Cells, 
Packet-Filters, IDS, etc. Packet-Filters are a local System that check the Header 
of each Packet. IDS arc local, non-mobile Systems which check Packets and ob- 
serve the Network Traffic in order to secure the Node where the IDS is installed. 
Artificial Cells (Section 3.3) arc autonomous, fully-mobile, and lightweightcd 
Entities which flow through the Network and perform certain Tasks for Network 
Security, e.g. Packet-Checking, Identification, of Infected Nodes or Monitoring of 
the Network. Furthermore, artificial Cell Communication (Section 3.4) is used to 
initialise Cooperation and Collaboration between the artificial Cells and a Self- 
Management (Section 3.5) is utilised for a Regulation of the artificial Immune 
System. In the next Sections, we take a closer look on the different Components 
of SANA. 

3.1 Network Simulator, Security Framework and Workflow 

The Network Simulator simulates a Packet-Oriented Network and is based on 
the Adversarial Queueing Theory [18,19,20]. The Simulator uses a FIFO (First 
In First Out) approach for Queueing and for Routing the Shortest Path Routing 
with the Dijkstra-Algorithm. It has a Quality of Service (QoS) Management 
which prefers artificial Cells and other important Messages that are sent between 
certified Components of the AIS. 
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The Security Framework is the AIS which must be installed on each Node 
of the Network. Furthermore, this Framework guarantees e.g. the execution of 
the artificial Cells, the Presentation of Packets to all Security Components, the 
Sending of Messages. The Design of the Security Framework is focussed on Ex- 
pandability in order to enhance it and to use existing Approaches in Network 
Security. One example of a Network Security Approach is Malfor [21], a system 
for Identification of the Processes which arc involved in the Installation of an 
Intrusion. 

The Workflow is that each Packet is checked in each Node by every Security 
Component - e.g. artificial Cells, Packet-Filters, and IDS - each Security Compo- 
nent can perform other Tasks - e.g. moving to other Nodes or sending Messages 
- and the Adversarial injects Packets into the Network. 

3.2 Adversarial and Attacks 

An Adversarial has the Function to Stress the Network and the AIS using Packets 
with and without Attacks; it has to keep in mind that the bandwidth of the 
connection is limited and that the queues have limited size. The Adversarial 
injects Packets without Attacks in order to simulate a real Network. The Packets 
with Attacks try to infect Nodes with Attacks; the infected Nodes then perform 
certain Tasks depending on the Attack, e.g. sending Packets with Attack to other 
Nodes. The Attack is an abstract Definition for all Intrusions in SANA. So, nearly 
all Intrusions can be modelled, e.g. Worms, Viruses, and Hacker-Attacks. 

3.3 Artificial Cells 

Artificial Cells are the main Component in the artificial Immune System of 
SANA. An artificial Cell is a highly specialised, autonomous and efficient En- 
tity which flows through the Network and performs certain Tasks for Network 
Security. In the Cooperation and with the enormous Number of artificial Cells, 
the whole System adapts quickly to Attacks and even to modified and novel At- 
tacks; the idea of Complex Adaptive Systems (CAS) or Massively-Distributed 
Systems. 

Each artificial Cell has the Job to perform some certain Task: 

— ANIMA for Intrusion Detection which is a type of artificial Cells for checking 
Packets whether they contain an Attack or not. Furthermore, it compresses 
the Information how to identify and how to proceed if an Attack is found 
in order to save Storage-Space and Computational Power. More Information 
about ANIMA-ID can be found in [22]. 

— AGNOSCO which is a type of artificial Cells for the Identification of Infected 
Nodes using artificial Ant Colonies. It is a distributed System which identifies 
the infected Nodes quickly and properly. More Information can be found in 
[23]. 

— Monitoring artificial Cell which flows through the Network and collects In- 
formation about the Status and send this back to some certain Component, 
e.g. the Administrator. 
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— Using the Expandability of SANA, it is easily possible to introduce novel ar- 
tificial Cells. Thus, it is e.g. possible to introduce artificial Cells for Anomaly 
Detection or Checking of the Status of a Network Node. 

— Additionally, it is possible to use existing Approaches for Network Security. 
With the Expandability of SANA, these Approaches can be used in an artifi- 
cial Cell; examples arc Systems for Intrusion- [22,24] or Anomaly-Detection 
Systems [25,26,27]. 

3.4 Artificial Cell Communication 

The idea in Complex Adaptive System (CAS) is that the Components (here: arti- 
ficial Cells) perform basic Tasks, are highly specialised and use basic Systems for 
Cooperation. Only by Cooperation and the high amount of these Components, 
the System is adaptive and reaches the goal (here: Network Security). 

The whole Architecture in SANA is composed without any central System. 
Thus, the artificial Cell Communication cannot use a Central Management Sys- 
tem like it is used in several Multi Agent Systems or Ad-Hoc Networks. We 
model partly the Cell Communication of the Human Body in order to build up 
Communication and, thereafter. Cooperation between artificial Cells. 

We introduce the Term Receptor which is a Public-Key-Pair. Each Compo- 
nent has Receptors and each Message is packed into a Substance which is an 
encrypted Message with Receptors. Only if a Receiver has the right Set of Re- 
ceptors, it will receive the Message - the Idea of a Public-Key Infrastructure and 
widely used in Multi Agent System for the Disarming of Bad-Agents/-artificial 
Cells; however, in our Implementation, there is not any centralised Key-Server. 

Additionally, we introduce artificial Lymph Nodes and Central Nativity and 
Training Stations (CNTS). Artificial Lymph Nodes supply the artificial Cells 
with e.g. Knowledge, initiate other artificial Cells if an event occurs and artificial 
Lymph Nodes care about the Routing of Substances. CNTS train and release 
new artificial Cell in order to have an evolutionary Set of artificial Cells which 
are up-to-date. Both, artificial Lymph Nodes and Central Nativity and Training 
Stations, are redundant installed in the System. 

3.5 Self-Management of the artificial Immune System 

The Self-Management of the System is currently only rudimentary. The artificial 
Cells are autonomous and thus they flow through the Network and perform cer- 
tain Tasks. However, one Problem of Massively-Distributed Systems or Complex 
Adaptive Systems is that they just do their Tasks but there is not any guarantee 
that the Systems will do the Tasks successfully. On the basis of the artificial Cell 
Communication and novel Structures, we want to introduce a distributed Self- 
Management of the artificial Immune System in order to give a certain amount 
of Guarantee. However, this is one of the Next Steps explained in the Section 6. 
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4 SANA - Implementation 

The Project SANA is implemented in Java. The Network Simulator, Adversarial, 
and the artificial Immune System are implemented and running. Different Types 
of artificial Cells are implemented. The Performance of these artificial Cells is 
tested and they perform the Tasks properly. Attack-Scenarios are additionally 
implemented for Testing Purposes and one example is a realistic Worm- Attack 
which will be discussed in the Section 5.1. 

The whole Implementation has the aim to give a Prototype for Testing and 
Evaluation of the Approaches. Furthermore, the Implementation focuses more 
on Expandability than on Performance; it is also possible to model nearly all 
Intrusions and nearly all immunological Processes. It is also possible to add 
common used Network Security Solutions like SNORT [1] or Malfor [21]. With 
this, we can compare the Performance of SANA with common used IDS and we 
can model cooperation between SANA and IDS. 

5 SANA - Results 

The Results we gained are promising. SANA identifies most Attacks - about 
60%-85% - depending on the Attack-Behaviour, the Network Topology and the 
Behaviour of the artificial Immune System with the artificial Cells. The infected 
Nodes are identified quickly by AGNOSCO and the System adapts to Attacks 
using local Immunization. 

If there are IDS or especially NIDS in the Network which protect important 
Nodes like the Internet Gateway or the E-Mail-Server, there is cooperation be- 
tween SANA and the IDS with a good performance - about 80%-95% of the 
Attack are prevented. Thus, SANA does not replace existing IDS, it enhances 
them. 

In the next Section, we discuss the Results of a Simulation of a realistic 
Worm-Attack. 

5.1 Simulation of a Worm-Attack 

In this Section, we discuss a Modelling of a realistic Worm- Attack onto the Net- 
work. The Worm enters a Network and uses a Security-Hole in a Node in order 
to install itself. After this, the Worm tries to propagate it to other Nodes; there- 
fore, it sends lots of Packets containing a copy of it to other Nodes. SANA tries 
to identify and remove these Packets, identifies the infected Nodes and disinfects 
the identified infected Nodes. Therefore, SANA uses the different types of arti- 
ficial Cells explained in the Section 3.3 and the artificial Cell Communication 
explained in the Section 3.4. 

The Performance of SANA in this Simulation is promising. It secures other 
Nodes from being infected by this Worm using ANIMA for Intrusion Detection 
[22]; only some Neighbour-Nodes are infected (about 2-5 Nodes for each Infec- 
tion). It also identifies the infected Nodes using AGNOSCO [23] quickly (about 
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50-150 Time-Steps for eacli infected Node) and using the artificial Cell Commu- 
nication (Section 3.4), AGNOSCO informs the artificial Lymph-Nodes (Section 
3.4) which start an artificial Cell for Disinfection which disinfect the Node fast. 
To sum up, SANA protects the Network against a Worm-Attack properly. 

5.2 Theoretical Analysis of distributed IDS 

In the theoretical Part of the SANA-Project, we compare the Performance and 
the Need of Resource of distributed and centralised Network Security Systems. 
Examples for centralised are e.g. IDS and for distributed AIS. However, the 
Analysis shows quickly that the Performance of the both Approaches is highly 
dependent on the Network Topology and the Behaviour of the Intrusions. The 
Analysis fortunately shows that the Performance of IDS is increased if AIS are 
added and the additionally needed Resources are limited. 

6 SANA - Next Steps 

Next Steps in the SANA-Project arc to simulate realistic Attacks on Networks, 
e.g. different Worm. Virus and Malwar- Attacks; also Attacks which consists of 
several different Attacks. Additionally, another part is to increase the Perfor- 
mance of the artificial Cell Communication (Section 3.4) and analyse the Per- 
formance of it theoretically. Furthmorc, we will introduce a Self-Management 
(Section 3.5) which guarantees a certain amount of Security and we will perform 
further theoretical Comparison (Section 5.2) between distributed and centralised 
Network Security Systems. 

7 Conclusion 

Network Security is still a challenging field. Unfortunately, the Attacks are get- 
ting both more complex and intelligent. Therefore, existing Network Security 
Systems have problems to cope with these Problems. We introduce with SANA 
an artificial Immune System with several non-standard Approaches for Network 
Security. With the gained Results, we are sure that SANA will enhance current 
Network Security Systems. 

One last word about SANA: SANA is Latin and stands for healthy. Further- 
more, the Work is done interdisciplinary in cooperation between Researchers 
from Biology and Computer Science. 
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